Phishing Campaign Thwarted in 10 minutes

This could’ve happened to anyone, and shows that getting phishedisas easy as A-B-C.

The first visible sign of a phish was this perfectly crafted email from one internal user to another, referencing DocuSign. It arrivedat 7:59 with instructions to click.

The attacker did a fine job making this look like a legitimate looking email. When the recipient trusts the sender, they are more likely to have clicked. While it’s easy to say “trust no email,” it’s also easy to forget on a Monday morning.

Clicking the link took the user to a login selection page. This attacker spread their net widely, offering the user to Single Sign On through several popular email systems. Can you spot a clue?

It’s abnormal these days to offer to log in using AOL, but they did cover O365 and Google.

The targeted user was somewhat suspicious, because they replied to the sender asking, “Is this real?” Not knowing their colleague’s account was under control of the attacker, when they received “Yes” as a reply, they accepted the attacker’s confirmation that it was legit and clicked again. Users should text or call, not use email, to confirm authenticity before clicking.

Clicking the Office 365 link leads to another perfect replica of a login page, from the same, bogus URL.

At which point, after entering them, the user’s account credentials were owned, without them knowing.

The Phish Hunter’s View:

Enabling Technologies had helped the organization’s IT team configure their Office 365 system with Phish Hunting capabilities. At about the time of the sent item, Phish Hunter automatically disabled the sender’s Azure AD/Office 365 account, and the local AD accounts.

How did this automatically happen?

At 7:49 local time, Microsoft’s Cloud App Security ID’d that the same user credentials were used from an IP address in South Africa. The key excerpt of that user’s vast log is below.

Remember, that first screen shot was from the attacker sending the DocuSign message from the compromised account to others in the organization. They do this to move laterally or up the org chart to eventually find execs or the accounts payable person responsible for paying invoices, at which point they’ll dupe them into paying a bogus invoice by wiring money to the attacker’s banking account. The log of the AlwaysDelete activity was gleaned from Cloud App Security. They were trying to cover their tracks by deleting the sent phishing messages.

The attacker wasn’t done just yet. Later that morning, several ISPs in South Africa had to be manually blocked because they were still attempting to login to the organization’s accounts. Using Azure AD’s “Named Locations,” specific countries (or ISPs) can be configured as allowed or blocked.

In Summary:

10 minutes to resolution, compared to what otherwise could’ve gone undetected for days or months.

It’s the combination of the location of the login and the activity taken in the account that enable Phish Hunter to detect the breach. There were 1075 normal log entries for that user that February morning.

Phish Hunter:

sifted through all the logs for the needle in the haystack

found the activity indicating account was compromised

auto-remediated that user’s account by locking them out and requiring a password reset

alerted the admin so they could thwart further attempts to breach the organization that day

Back to work you go, or maybe, if it’s your thing, you can go fishing!

Enabling Bloggers

Latest Tweets

Recent Posts

Facebook Activity

At Enabling Tech Corp

We Enable the Digital Workplace! If you’ve got questions, we’ve got answers ---- about our company or services, learn more about Skype Applications, or any other questions, please select what you want to do such as request more information, chat with us, or Ask Enabling!